3529
Commentaire:
|
← Version 12 à la date du 2019-05-04 15:52:27 ⇥
10323
|
Texte supprimé. | Texte ajouté. |
Ligne 4: | Ligne 4: |
<<TableOfContents()>> | |
Ligne 9: | Ligne 10: |
* `apt install slapd` | * `apt install slapd slapd-contrib` |
Ligne 56: | Ligne 57: |
Change the default hash from SSHA to CRYPT SHA512 with 10001 rounds {{{ cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {CRYPT} - dn: cn=config changetype: modify add: olcPasswordCryptSaltFormat olcPasswordCryptSaltFormat: $6$rounds=100001$%.16s EOF }}} |
|
Ligne 77: | Ligne 94: |
=== Overlay === cf https://www.openldap.org/doc/admin24/overlays.html ==== Unique ==== {{{ cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: unique EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: unique olcUniqueAttribute: cn mail krb5PrincipalName EOF }}} ==== MemberOf ==== {{{ cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: error olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf EOF }}} ==== RefInt ==== {{{ cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad:refint EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof member manager owner EOF }}} ==== smbk5pwd ==== To do only after KDC initialization. This overlay allow to keep ldap password and kerberos key in sync. cf https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/smbk5pwd {{{ apt install samba setfacl -m 'u:openldap:r' /var/lib/heimdal-kdc/m-key zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | ldapadd -Y EXTERNAL -H ldapi:/// }}} {{{ cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: smbk5pwd EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd }}} ==== Ppolicy ==== Order of overlay are important (last added called first) so this one must be after smbk5pwd (so we check the password before smbk5pwd edit related password attributes) cf http://www.zytrax.com/books/ldap/ch6/ppolicy.html {{{ ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad:ppolicy EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com olcPPolicyUseLockout: FALSE olcPPolicyHashCleartext: TRUE EOF }}} {{{ cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=default,ou=Policies,dc=example,dc=com objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdFailureCountInterval: 900 pwdLockout: TRUE pwdLockoutDuration: 900 pwdMaxFailure: 10 pwdMinLength: 12 pwdCheckQuality: 1 pwdSafeModify: FALSE pwdMaxAge: 0 pwdMinAge: 0 pwdInHistory: 0 EOF }}} |
|
Ligne 113: | Ligne 286: |
* Edit | * Edit /etc/heimdal-kdc/kdc.conf and change the `database =` section {{{ database = { dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com hdb-ldap-structural-object = inetOrgPerson acl_file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key } }}} * Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap * `service heimdal-kdc restart` * {{{ # kadmin -l init EXAMPLE.COM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: }}} * Edit /etc/default/heimdal-kdc and set KPASSWDD_ENABLED to no (otherwise password will not be synced between ldap and kerberos) * For each realm, export the kadmin/admin user: {{{ kadmin -l ext kadmin/admin@EXAMPLE.COM kadmin -l ext kadmin/admin@EXAMPLE.NET }}} This will create a keytab file at /etc/krb5.keytab. We move it to /etc/heimdal-kdc/keytab/kadmin.keytab * Edit /etc/inetd.conf add the following options de kadmind: {{{ kerberos-adm stream tcp nowait root /usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind --keytab=/etc/heimdal-kdc/keytab/kadmin.keytab -c /etc/heimdal-kdc/kdc.conf }}} * Edit /etc/heimdal-kdc/kadmind.acl and define a user as admin. For instance {{{ #principal [priv1,priv2,...] [glob-pattern] admin@EXAMPLE.COM all,get-keys }}} ==== Multi REALM ==== Create another realm in the KDC (e.g EXAMPLE.NET) {{{ # kadmin -l init EXAMPLE.NET Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: }}} For users of realm EXAMPLE.COM to be able to auth on apps on realm EXAMPLE.NET: {{{ # kadmin -l add -r krbtgt/EXAMPLE.NET@EXAMPLE.COM Max ticket life [1 day]:unlimited Max renewable life [1 week]:unlimited Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]: }}} = Administration Tasks = == Change a Password == A user can change its password using `ldappasswd`, for instance {{{ $ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=username,ou=Users,dc=example,dc=com" }}} This will prompt for the user new password (`-S`), then the current user password to connect to the ldap server (`-W`) authenticating with binddn (`-D "cn=username,ou=Users,dc=example,dc=com"`) using simple bind (`-x`) == Reset a user password == Just bind with a admin account and give ldappasswd the dn of the user as last parameter. For instance: {{{ ldappasswd -Y EXTERNAL -H ldapi:/// -S "cn=username,ou=Users,dc=example,dc=com" }}} or {{{ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=admin,dc=example,dc=com" "cn=username,ou=Users,dc=example,dc=com" }}} If `-S` is omitted, the ldap server will generate a new password and ldappasswd will display it on stdout. |
Sommaire
Installing OpenLdap + Heimdal Kerberos on Debian Stretch with Multiple Realm
Setting-up OpenLdap
apt install slapd slapd-contrib
- Define the admin password
Run dpkg-reconfigure slapd et make initial config. Choose MDB as backend
In the following, we suppose you have the base dn of your db in BASEDN. So if you choose example.com as domain in the previous set, set export BASEDN="dc=example,dc=com"
You can know connect to dc=example,dc=com with user cn=admin,dc=example,dc=com and the password chosen
- Disable anonymous binds et require authentication
cat <<'EOF' | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcRequires olcRequires: authc EOF
Optionally set a password to access cn=config (I use Apache Directory Studio and shelldap)
PASSWORD=$(slappasswd -c '$6$rounds=100001$%.16s') cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={0}config,cn=config changetype: modify replace: olcRootPW olcRootPW: $PASSWORD EOF unset PASSWORD
You can known connect to cn=config with user cn=admin,cn=config
Change the default hash from SSHA to CRYPT SHA512 with 10001 rounds
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {CRYPT} - dn: cn=config changetype: modify add: olcPasswordCryptSaltFormat olcPasswordCryptSaltFormat: $6$rounds=100001$%.16s EOF
OpenLdap + TLS with Letsencrypt certificate
We suppose you have already a letsencrypt certificat for ldap.example.com.
Connect to cn=config using shelldap: shelldap --server ldapi:// --basedn cn=config -Y EXTERNAL
Edit .: vi .
olcTLSCACertificateFile to chain.pem
olcTLSCertificateFile to cert.pem
olcTLSCertificateKeyFile to privkey.pem
olcTLSVerifyClient: never
Edit /etc/default/slapd et set SLAPD_SERVICES="ldaps:/// ldapi:///"
service slapd restart
ACL
We just use ldap as a auth db and not as an address book, so we need to restric acls more than just the default. We already restrict access to the directory only to authenticated user.
For Heimdal, add {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break to olcDatabase={1}mdb,cn=config
Overlay
cf https://www.openldap.org/doc/admin24/overlays.html
Unique
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: unique EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: unique olcUniqueAttribute: cn mail krb5PrincipalName EOF
MemberOf
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: error olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf EOF
RefInt
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad:refint EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: refint olcRefintAttribute: memberof member manager owner EOF
smbk5pwd
To do only after KDC initialization. This overlay allow to keep ldap password and kerberos key in sync. cf https://github.com/openldap/openldap/tree/master/contrib/slapd-modules/smbk5pwd
apt install samba setfacl -m 'u:openldap:r' /var/lib/heimdal-kdc/m-key zcat /usr/share/doc/samba/examples/LDAP/samba.ldif.gz | ldapadd -Y EXTERNAL -H ldapi:///
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: smbk5pwd EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd
Ppolicy
Order of overlay are important (last added called first) so this one must be after smbk5pwd (so we check the password before smbk5pwd edit related password attributes)
cf http://www.zytrax.com/books/ldap/ch6/ppolicy.html
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad:ppolicy EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com olcPPolicyUseLockout: FALSE olcPPolicyHashCleartext: TRUE EOF
cat <<EOF | ldapadd -Y EXTERNAL -H ldapi:/// dn: cn=default,ou=Policies,dc=example,dc=com objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdFailureCountInterval: 900 pwdLockout: TRUE pwdLockoutDuration: 900 pwdMaxFailure: 10 pwdMinLength: 12 pwdCheckQuality: 1 pwdSafeModify: FALSE pwdMaxAge: 0 pwdMinAge: 0 pwdInHistory: 0 EOF
Installing Heimdal KDC
apt install heimdal-kdc
- Set the default realm and the list of kerberos servers and other parameters empty (we will configure it later)
Ldap Config
Add hdb schema
We need to import the Heimdal ldap schema. To do so, we first need to convert the schema to ldif.
mkdir /tmp/ldif_output
cat <<EOF > /tmp/schema_convert.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/hdb.schema EOF
slapcat -f /tmp/schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={1}hdb,cn=schema,cn=config" | sed 's/{1}hdb/hdb/' | grep '^\(dn:\|objectClass:\|cn:\|olc\| \)' > /etc/ldap/schema/hdb.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/hdb.ldif
KDC Config
The configuration below is based on the Heimdal github wiki https://github.com/heimdal/heimdal/wiki
Generate the master KDC encryption key with kstash --random-key -e aes256-cts-hmac-sha1-96 and backup securely the created file /var/lib/heimdal-kdc/m-key. It's the secret key used to encrypt the kerberos users private keys.
Edit /etc/heimdal-kdc/kdc.conf and change the database = section
database = { dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com hdb-ldap-structural-object = inetOrgPerson acl_file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key }
Create the OU ou=KerberosPrincipals,dc=example,dc=com in the ldap
service heimdal-kdc restart
# kadmin -l init EXAMPLE.COM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]:
- Edit /etc/default/heimdal-kdc and set KPASSWDD_ENABLED to no (otherwise password will not be synced between ldap and kerberos)
For each realm, export the kadmin/admin user:
kadmin -l ext kadmin/admin@EXAMPLE.COM kadmin -l ext kadmin/admin@EXAMPLE.NET
This will create a keytab file at /etc/krb5.keytab. We move it to /etc/heimdal-kdc/keytab/kadmin.keytabEdit /etc/inetd.conf add the following options de kadmind:
kerberos-adm stream tcp nowait root /usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind --keytab=/etc/heimdal-kdc/keytab/kadmin.keytab -c /etc/heimdal-kdc/kdc.conf
Edit /etc/heimdal-kdc/kadmind.acl and define a user as admin. For instance
#principal [priv1,priv2,...] [glob-pattern] admin@EXAMPLE.COM all,get-keys
Multi REALM
Create another realm in the KDC (e.g EXAMPLE.NET)
# kadmin -l init EXAMPLE.NET Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]:
For users of realm EXAMPLE.COM to be able to auth on apps on realm EXAMPLE.NET:
# kadmin -l add -r krbtgt/EXAMPLE.NET@EXAMPLE.COM Max ticket life [1 day]:unlimited Max renewable life [1 week]:unlimited Principal expiration time [never]: Password expiration time [never]: Attributes []: Policy [default]:
Administration Tasks
Change a Password
A user can change its password using ldappasswd, for instance
$ ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=username,ou=Users,dc=example,dc=com"
This will prompt for the user new password (-S), then the current user password to connect to the ldap server (-W) authenticating with binddn (-D "cn=username,ou=Users,dc=example,dc=com") using simple bind (-x)
Reset a user password
Just bind with a admin account and give ldappasswd the dn of the user as last parameter. For instance:
ldappasswd -Y EXTERNAL -H ldapi:/// -S "cn=username,ou=Users,dc=example,dc=com"
or
ldappasswd -H ldaps://ldap.example.com -x -W -S -D "cn=admin,dc=example,dc=com" "cn=username,ou=Users,dc=example,dc=com"
If -S is omitted, the ldap server will generate a new password and ldappasswd will display it on stdout.